Secure File Sharing

Sharing Data leakage while file sharing continues to be a major problem for cybersecurity, especially with the advent of cloud storage. The articles cited here were presented in the first half of 2014 and cover topics including secure storage, cryptosystems, pattern-driven security systems, and access control enforcement.

Albahdal, Abdullah A; Alsolami, Fahad; Alsaadi, Fawaz, "Evaluation of Security Supporting Mechanisms in Cloud Storage," Information Technology: New Generations (ITNG), 2014 11th International Conference on, vol., no., pp.285,292, 7-9 April 2014. (ID#:14-1781) URL:http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6822212&isnumber=6822158 Cloud storage is one of the most promising services of cloud computing. It holds promise for unlimited, scalable, flexible, and low cost data storage. However, security of data stored at the cloud is the main concern that hinders the adoption of cloud storage model. In the literature, there are many proposed mechanisms to improve the security of cloud storage. These proposed mechanisms differ in many aspects and provide different levels of security. In this paper, we evaluate five different mechanisms for supporting the security of the cloud storage. We begin with a brief description of these mechanisms. Then we evaluate these mechanisms based on the following criteria: security, support of writing serializability and reading freshness, workload distribution between the client and cloud, performance, financial cost, support of accountability between the client and cloud, support of file sharing between users, and ease of deployment. The evaluation section of this paper forms a guide for individuals and organizations to select or design an appropriate mechanism that satisfies their requirements for securing cloud storage. Keywords: Availability; Cloud computing; Encryption; Secure storage; Writing; Cloud Computing; Cloud Security; Cloud Storage

Cheng-Kang Chu; Chow, S.S.M.; Wen-Guey Tzeng; Jianying Zhou; Deng, R.H., "Key-Aggregate Cryptosystem for Scalable Data Sharing in Cloud Storage," Parallel and Distributed Systems, IEEE Transactions on , vol.25, no.2, pp.468,477, Feb. 2014. (ID#:14-1782) URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6497048&isnumber=6689796 Data sharing is an important functionality in cloud storage. In this paper, we show how to securely, efficiently, and flexibly share data with others in cloud storage. We describe new public-key cryptosystems that produce constant-size ciphertexts such that efficient delegation of decryption rights for any set of ciphertexts are possible. The novelty is that one can aggregate any set of secret keys and make them as compact as a single key, but encompassing the power of all the keys being aggregated. In other words, the secret key holder can release a constant-size aggregate key for flexible choices of ciphertext set in cloud storage, but the other encrypted files outside the set remain confidential. This compact aggregate key can be conveniently sent to others or be stored in a smart card with very limited secure storage. We provide formal security analysis of our schemes in the standard model. We also describe other application of our schemes. In particular, our schemes give the first public-key patient-controlled encryption for flexible hierarchy, which was yet to be known. Keywords: cloud computing; private key cryptography; public key cryptography; smart cards; storage management; ciphertext set; cloud storage; compact aggregate key; constant-size ciphertexts; data sharing security; decryption rights; file encryption; formal security analysis; key-aggregate cryptosystem; public-key cryptosystems; public-key patient-controlled encryption; scalable data sharing; secret key holder; smart card; Cloud storage; data sharing; key-aggregate encryption; patient-controlled encryption Skil

len, A; Mannan, M., "Mobiflage: Deniable Storage Encryptionfor Mobile Devices," Dependable and Secure Computing, IEEE Transactions on , vol.11, no.3, pp.224,237, May-June 2014. (ID#:14-1783) URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6682886&isnumber=6813632 Data confidentiality can be effectively preserved through encryption. In certain situations, this is inadequate, as users may be coerced into disclosing their decryption keys. Steganographic techniques and deniable encryption algorithms have been devised to hide the very existence of encrypted data. We examine the feasibility and efficacy of deniable encryption for mobile devices. To address obstacles that can compromise plausibly deniable encryption (PDE) in a mobile environment, we design a system called Mobiflage. Mobiflage enables PDE on mobile devices by hiding encrypted volumes within random data in a devices free storage space. We leverage lessons learned from deniable encryption in the desktop environment, and design new countermeasures for threats specific to mobile systems. We provide two implementations for the Android OS, to assess the feasibility and performance of Mobiflage on different hardware profiles. MF-SD is designed for use on devices with FAT32 removable SD cards. Our MF-MTP variant supports devices that instead share a single internal partition for both apps and user accessible data. MF-MTP leverages certain Ext4 file system mechanisms and uses an adjusted data-block allocator. These new techniques for sorting hidden volumes in Ext4 file systems can also be applied to other file systems to enable deniable encryption for desktop OSes and other mobile platforms. Keywords: Androids; Encryption; Humanoid robots; Law; Mobile communication; Mobile handsets; File system security; deniable encryption; mobile platform security; storage encryption

Uzunov, Anton V.; Fernandez, Eduardo B.; Falkner, Katrina, "A Comprehensive Pattern-Driven Security Methodology for Distributed Systems," Software Engineering Conference (ASWEC), 2014 23rd Australian, vol., no., pp.142, 151, 7-10 April 2014. (ID#:14-1784) URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6824119&isnumber=6824087 Incorporating security features is one of the most important and challenging tasks in designing distributed systems. Over the last decade, researchers and practitioners have come to recognize that the incorporation of security features should proceed by means of a systematic approach, combining principles from both software and security engineering. Such systematic approaches, particularly those implying some sort of process aligned with the development life-cycle, are termed security methodologies. One of the most important classes of such methodologies is based on the use of security patterns. While the literature presents a number of pattern-driven security methodologies, none of them are designed specifically for general distributed systems. Going further, there are also currently no methodologies with mixed specific applicability, e.g. for both general and peer-to-peer distributed systems. In this paper we aim to fill these gaps by presenting a comprehensive pattern-driven security methodology specifically designed for general distributed systems, which is also capable of taking into account the specifics of peer-to-peer systems. Our methodology takes the principle of encapsulation several steps further, by employing patterns not only for the incorporation of security features (via security solution frames), but also for the modeling of threats, and even as part of its process. We illustrate and evaluate the presented methodology via a realistic example -- the development of a distributed system for file sharing and collaborative editing. In both the presentation of the methodology and example our focus is on the early life-cycle phases (analysis and design). Keywords: Analytical models; Computer architecture; Context; Object oriented modeling; Security; Software; Taxonomy; distributed systems security; secure software engineering; security methodologies; security patterns; security solution frames; threat patterns

Kaaniche, Nesrine; Laurent, Maryline, "A Secure Client Side Deduplication Scheme in Cloud Storage Environments," New Technologies, Mobility and Security (NTMS), 2014 6th International Conference on, vol., no., pp.1,7, March 30 2014-April 2 2014. (ID#:14-1785) URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6814002&isnumber=6813963 Recent years have witnessed the trend of leveraging cloud-based services for large scale content storage, processing, and distribution. Security and privacy are among top concerns for the public cloud environments. Towards these security challenges, we propose and implement, on OpenStack Swift, a new client-side deduplication scheme for securely storing and sharing outsourced data via the public cloud. The originality of our proposal is twofold. First, it ensures better confidentiality towards unauthorized users. That is, every client computes a per data key to encrypt the data that he intends to store in the cloud. As such, the data access is managed by the data owner. Second, by integrating access rights in metadata file, an authorized user can decipher an encrypted file only with his private key. Keywords: (Not provided)

Alsolami, Fahad; Boult, Terrance E., "CloudStash: Using Secret-Sharing Scheme to Secure Data, Not Keys, in Multi-clouds," Information Technology: New Generations (ITNG), 2014 11th International Conference on , vol., no., pp.315,320, 7-9 April 2014. (ID#:14-1786) URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6822216&isnumber=6822158 Cloud storages have many exciting features that attract many individuals and organizations for storing and sharing data over the cloud. However, security and key management are still remaining the highlighted concerns in cloud storage. Managing/protecting keys is a problem for existing approaches, and opens the risk of attackers working to offline brute-force crack the decryption and/or surreptitiously obtaining the key and using it offline. To address these issues, we propose the Cloud Stash scheme, a system that applied the secret-sharing scheme directly on the file to store multi-shares of a file into multi-clouds. Cloud Stash utilizes secret-sharing, low cost cloud storages and multi-threading to improve confidentiality, availability, performance and fault tolerance. Cloud Stash achieves this improvement by splitting a file into multi-shares of secret and distributing these multi-shares into multi-clouds simultaneously where threshold shares are required to reconstruct the file. Our experiments show that Cloud Stash is statistically significantly faster for small files, and even for large files the added cost is not statistically worse. So the added security benefits are nearly free from the users' perspective. Keywords: Availability; Cloud computing; Encryption; Nickel; Standards; Cloud storage security; key management; mutli-clouds; performance; secret-sharing

Yukyeong Wi, Jin Kwak, "Secure Data Management Scheme In The Cloud Data Center," International Journal of Advanced Media and Communication, Volume 5 Issue 2/3, April 2014, Pages 225-232. (ID#:14-1788) URL: http://dl.acm.org/citation.cfm?id=2608768.2608779&coll=DL&dl=GUIDE&CFID=514607536&CFTOKEN=40141344 or http://dx.doi.org/10.1109/TNET.2012.2210729 Recently, the research about the cloud computing service focused on the data synchronization to various devices of the users when he or she does at anywhere and anytime. Also, secure and effective management and sharing technology is needed for cloud data center's stored data to securely provide data synchronization service. However, in cloud data center, there are the potential for that to security concern from the internal storage unauthorized access by malicious attacker such as stored data forgery, leakage and the upload of the unauthorized data. Therefore, in this paper, we propose a secure data management scheme in the cloud data center by categorization of the data e.g., importance, types, file size and so on. Keywords: (not provided)

Dinh Tien Tuan Anh, Anwitaman Datta, "Streamforce: Outsourcing Access Control Enforcement For Stream Data To The Clouds," CODASPY '14 Proceedings of the 4th ACM Conference On Data And Application Security And Privacy , March 2014, Pages 13-24. (ID#:14-1789) URL: http://dl.acm.org/citation.cfm?id=2557547.2557556&coll=DL&dl=GUIDE&CFID=514607536&CFTOKEN=40141344 or http://dx.doi.org/10.1145/2557547.2557556 In this paper, we focus on the problem of data privacy on the cloud, particularly on access controls over stream data. The nature of stream data and the complexity of sharing data make access control a more challenging issue than in traditional archival databases. We present Streamforce -- a system allowing data owners to securely outsource their data to an untrusted (curious-but-honest) cloud. The owner specifies fine-grained policies which are enforced by the cloud. The latter performs most of the heavy computations, while learning nothing about the data content. To this end, we employ a number of encryption schemes, including deterministic encryption, proxy-based attribute based encryption and sliding-window encryption. In Streamforce, access control policies are modeled as secure continuous queries, which entails minimal changes to existing stream processing engines, and allows for easy expression of a wide-range of policies. In particular, Streamforce comes with a number of secure query operators including Map, Filter, Join and Aggregate. Finally, we implement Streamforce over an open-source stream processing engine (Esper) and evaluate its performance on a cloud platform. The results demonstrate practical performance for many real-world applications, and although the security overhead is visible, Streamforce is highly scalable. Keywords: access control, cloud computing, outsourced databases, stream processing

Junbeom Hur, Kyungtae Kang, "Secure Data Retrieval for Decentralized Disruption-Tolerant Military Networks," IEEE/ACM Transactions on Networking (TON), Volume 22 Issue 1, February 2014, Page 16-26. (ID#:14-1790) URL: http://dl.acm.org/citation.cfm?id=2591204.2591205&coll=DL&dl=GUIDE&CFID=514607536&CFTOKEN=40141344 or http://dx.doi.org/10.1109/TNET.2012.2210729 Mobile nodes in military environments such as a battlefield or a hostile region are likely to suffer from intermittent network connectivity and frequent partitions. Disruption-tolerant network (DTN) technologies are becoming successful solutions that allow wireless devices carried by soldiers to communicate with each other and access the confidential information or command reliably by exploiting external storage nodes. Some of the most challenging issues in this scenario are the enforcement of authorization policies and the policies update for secure data retrieval. Ciphertext-policy attribute-based encryption (CP-ABE) is a promising cryptographic solution to the access control issues. However, the problem of applying CP-ABE in decentralized DTNs introduces several security and privacy challenges with regard to the attribute revocation, key escrow, and coordination of attributes issued from different authorities. In this paper, we propose a secure data retrieval scheme using CP-ABE for decentralized DTNs where multiple key authorities manage their attributes independently. We demonstrate how to apply the proposed mechanism to securely and efficiently manage the confidential data distributed in the disruption-tolerant military network. Keywords: (not provided)

Mordechai Guri, Gabi Kedma, Buky Carmeli, Yuval Elovici, "Limiting Access To Unintentionally Leaked Sensitive Documents Using Malware Signatures," (ID#:14-1793) URL: http://dl.acm.org/citation.cfm?id=2613087.2613103&coll=DL&dl=GUIDE&CFID=514607536&CFTOKEN=40141344 or http://dx.doi.org/10.1145/2613087.2613103 Organizations are repeatedly embarrassed when their sensitive digital documents go public or fall into the hands of adversaries, often as a result of unintentional or inadvertent leakage. Such leakage has been traditionally handled either by preventive means, which are evidently not hermetic, or by punitive measures taken after the main damage has already been done. Yet, the challenge of preventing a leaked file from spreading further among computers and over the Internet is not resolved by existing approaches. This paper presents a novel method, which aims at reducing and limiting the potential damage of a leakage that has already occurred. The main idea is to tag sensitive documents within the organization's boundaries by attaching a benign detectable malware signature (DMS). While the DMS is masked inside the organization, if a tagged document is somehow leaked out of the organization's boundaries, common security services such as Anti-Virus (AV) programs, firewalls or email gateways will detect the file as a real threat and will consequently delete or quarantine it, preventing it from spreading further. This paper discusses various aspects of the DMS, such as signature type and attachment techniques, along with proper design considerations and implementation issues. The proposed method was implemented and successfully tested on various file types including documents, spreadsheets, presentations, images, executable binaries and textual source code. The evaluation results have demonstrated its effectiveness in limiting the spread of leaked documents. Keywords: anti-virus program, data leakage, detectable malware signature, sensitive document

John Criswell, Nathan Dautenhahn, Vikram Adve, "Virtual Ghost: Protecting Applications From Hostile Operating Systems," ASPLOS '14 Proceedings of the 19th International Conference On Architectural Support For Programming Languages And Operating Systems , February 2014, Pages 81-96. (ID#:14-1794) URL: http://dl.acm.org/citation.cfm?id=2541940.2541986&coll=DL&dl=GUIDE&CFID=514607536&CFTOKEN=40141344 or http://dx.doi.org/10.1145/2541940.2541986 Applications that process sensitive data can be carefully designed and validated to be difficult to attack, but they are usually run on monolithic, commodity operating systems, which may be less secure. An OS compromise gives the attacker complete access to all of an application's data, regardless of how well the application is built. We propose a new system, Virtual Ghost, that protects applications from a compromised or even hostile OS. Virtual Ghost is the first system to do so by combining compiler instrumentation and run-time checks on operating system code, which it uses to create ghost memory that the operating system cannot read or write. Virtual Ghost interposes a thin hardware abstraction layer between the kernel and the hardware that provides a set of operations that the kernel must use to manipulate hardware, and provides a few trusted services for secure applications such as ghost memory management, encryption and signing services, and key management. Unlike previous solutions, Virtual Ghost does not use a higher privilege level than the kernel. Virtual Ghost performs well compared to previous approaches; it outperforms InkTag on five out of seven of the LMBench microbenchmarks with improvements between 1.3x and 14.3x. For network downloads, Virtual Ghost experiences a 45% reduction in bandwidth at most for small files and nearly no reduction in bandwidth for large files and web traffic. An application we modified to use ghost memory shows a maximum additional overhead of 5% due to the Virtual Ghost protections. We also demonstrate Virtual Ghost's efficacy by showing how it defeats sophisticated rootkit attacks. Keywords: control-flow integrity, inlined reference monitors, malicious operating systems, software fault isolation, software security

Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) SecureDataBank.net for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.